Merge branch 'security-exclude_ids_attribute_cleaning-12-5-ce' into '12-5-stable'

Ensure attributes that end in `_ids` are cleaned

See merge request gitlab/gitlabhq!3558

3 files changed, 10 insertions, 2 deletions

diff --git a/changelogs/unreleased/security-exclude_ids_attribute_cleaning.yml b/changelogs/unreleased/security-exclude_ids_attribute_cleaning.yml
new file mode 100644
index 00000000000..08fc1393f20
--- /dev/null
+++ b/changelogs/unreleased/security-exclude_ids_attribute_cleaning.yml
@@ -0,0 +1,5 @@
+---
+title: Ensure are cleaned by ImportExport::AttributeCleaner
+merge_request:
+author:
+type: security
diff --git a/lib/gitlab/import_export/attribute_cleaner.rb b/lib/gitlab/import_export/attribute_cleaner.rb
index b2fe9592c06..50fec9f3eb9 100644
--- a/lib/gitlab/import_export/attribute_cleaner.rb
+++ b/lib/gitlab/import_export/attribute_cleaner.rb
@@ -4,7 +4,7 @@ module Gitlab
   module ImportExport
     class AttributeCleaner
       ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + %w[group_id commit_id]
-      PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_html\Z/).freeze
+      PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/).freeze
 
       def self.clean(*args)
         new(*args).clean
diff --git a/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb b/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb
index 873728f9909..1b28e26a7e8 100644
--- a/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb
+++ b/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb
@@ -24,7 +24,10 @@ describe Gitlab::ImportExport::AttributeCleaner do
       '_html' => '<p>perfectly ordinary html</p>',
       'cached_markdown_version' => 12345,
       'group_id' => 99,
-      'commit_id' => 99
+      'commit_id' => 99,
+      'issue_ids' => [1, 2, 3],
+      'merge_request_ids' => [1, 2, 3],
+      'note_ids' => [1, 2, 3]
     }
   end